What Is A Honeypot?

3/30/20 9:00 AM |
by RedLegg Blog

Your organization's cybersecurity team can gather threat intelligence through various ways, such as through open-source or private, subscription threat intel feeds.

Another avenue is a honeypot. Honeypots can be another great source of security information on cyber threats, attackers, their tools, as well as threat actor tactics, techniques, and procedures (TTPs) along with additional valuable information related to the attack.

The knowledge gathered through honeypots can provide your organization with insights into attacker behavior. Furthermore, honeypots can shed light on emerging attacks and threats that don't yet have signatures or methods of detection.

Therefore, a honeypot is an extraordinarily valuable asset to your cyber threat intelligence.

What Is a Honeypot and How Do I Use It?

A honeypot is an intentionally vulnerable system used to simulate critical infrastructure, services, and configurations. Cybersecurity professionals use this computer system as a decoy to set a trap and lure potential attackers.

Honeypots fall into the category of deception technology, a form of incident detection and response tech with the goal of detecting, analyzing, and defending against advanced threats. Cybersecurity teams achieve this goal by utilizing deception technology, honeypots, to attract attackers who will potentially interact with false IT assets that are deployed strategically to appear as valuable targets.

Honeypots are designed to allow attackers into that system, so your cybersecurity team is already expecting the attack to be conducted in a controlled environment. This allows threat analysts to write rules, establish new measures to protect against various emerging attacks, and build threat intelligence lists for future detection that can be fed back into your data stream.

What Is a Honeynet?

A honeynet is a distributed honeypot network. Instead of deploying only a single honeypot, the ideal solution is to utilize several in the form of a honeynet that then operates in multiple locations to maximize the diversity of attack vector and adversaries.

Operating a honeynet can be a logical step in evolving your security program. This is most effective when you already have an established Threat Intelligence team researching the current attack landscape.

Network diversity is a crucial element to gather decent threat intelligence from honeypots, and network diversity in this case would mean that your organization is actively operating honeypots all over the internet, including on multiple cloud providers, hosts, as well as internal and external networks.

What Are the Different Types of Honeypots?

High-interaction honeypot: Instead of mimicking a full-scale production system, high-interaction honeypots imitate running all the services of a real production system.

Example: Full operating systems that are configured to record everything the threat actor does during the attack. However, this OS honeypot prevents the attacker from propagating malware to assets outside of the honeypot's network (that consists mostly of more honeypots).

Low-interaction honeypot: Mostly deployed in a production environment, low-interaction honeypots function as early detection mechanisms by running only a limited number of services. While attackers can't do much with this honeypot type as it has substantial limitations and lacks fully functional services, it is simple to use, and cybersecurity teams can deploy it rapidly.

Example: Automated bots that scan or check for a vulnerability in generic and malicious internet traffic, such as automated brute forcers, SSH bots, and input sanitization checker bots.

Malware honeypot: In some cases, attackers will try to infect open or vulnerable systems, and they attempt this by hosting a malware sample on an open or vulnerable box. Hosting the malware on a random server allows easier access for the malware to infiltrate an IT environment as the server's IP was not on a threat list. Therefore, honeypots can be used to acquire massive amounts of new malware samples.

Example: A honeypot emulating a USB device that tricks a USB-spreading malware that has infected a machine to infect the emulated device.

Spam honeypot: Spam honeypots are used to emulate open proxies and to mail relays to acquire information on current spam and email spam-based malware campaign trends.

Example: Fake open SMTP relays that can provide knowledge on the current spam trends as well as insights into what is using an organization's SMTP relay to send the spam emails. Other forms of spam honeypots are forum or comment honeypots that can be used to spread fake information, malware, and phishing links.

Client honeypot: While most honeypots are servers listening for connections, client honeypots replicate the important parts of a client's environment to help with more targeted attacks. It's crucial to note that no actual client data is used for these honeypots. Instead, client honeypots make the fake host look identical to a legit host.

Example: Using finger printable data, such as operating system information, running services, and open ports.

Who Uses Honeypots?

Researchers: Cyber security researchers of non-profit organizations and educational institutions use honeypots to research the emerging TTPs of different attacks.

Threat intelligence teams: Threat intel teams in organizations and service providers operate honeypots to research attacker trends as well as to mitigate the risks of potential attacks.

What Are the Benefits of a Honeypot Feed?

If honeypots are operated decently – by ensuring that the attacks are conducted in a controlled environment and by preventing threat actors from moving to actual production systems after exploiting a honeypot –, they provide great benefits for organizations that seek to step up their cybersecurity posture.

Slower Attack Resulting in Faster Incident Response

In the case that a honeypot is deployed in your IT infrastructure, it can slow down the attacker who is actively searching for vulnerabilities within your environment as they will be trying to exploit a fake machine instead of something more valuable.

When the honeypot is triggered by the attacker, it will send your organization an alert to investigate and respond to the breach.

In many cases, a honeypot can help cybersecurity teams to respond to an ongoing attack before the threat actor can successfully exfiltrate data from your IT environment.

Easy to Deploy With Low Maintenance

While your team can easily download and install honeypots, the alerts they provide on possible attacks and vulnerabilities are pretty accurate.

Furthermore, the maintenance of internal honeypots required from cybersecurity teams is so low that some organizations can even forget about them until they receive an alert.

While honeypots/nets deployed on a larger scale and on external resources do take considerably more effort to operate, the insights they can provide is more than worth it.

An Easy Way to Test Your Cybersecurity Team

In addition to offering precise alerts and requiring low maintenance, honeypots can also be used to test the cybersecurity skills of your organization's employees.

This way, you can determine whether your team can investigate threat alerts in time and respond with the proper countermeasures. You may even consider this a tabletop exercise in its own right.